U.S. Patent Application Serial No. 10/817,154 

Office Action Dated: March 17, 2008 

Reply To Office Action Mailed On March 17, 2008 



AMENDMENTS TO THE CLAIMS ; 

This listing of claims will replace all prior versions, and listing, of claims in the application: 
Listing of Claims : 

1 . (Currently Amended) A computer-implemented method of authenticating an identity 
of a user seeking access to a relying computing entity, wherein the identity of the user is issued 
by an authentication service and is not issued by the relying computing entity, the method 
comprising: 

receiving at a broker service an authentication request from the relying computing entity 
to authenticate the identity of the user , wherein the authentication request does not include an 
identification of an authentication service^ MI 

identifying, by the broker service, an appropriate authentication service among a plurality 
of authentication services, wherein 

£a) a first trust relationship exists between the relying computing entity and the 

broker service;[[,]] and 

(b) a second trust relationship exists between the identified authentication service 
and the broker service; , in the absenc e of a 

(c) no relevant trust relationship e xisting exists between the identified 
authentication service and the relying computing entity; and 

(d) identifying of the appropriate authentication service is based at least in part on 
determining that the second trust relationship exists: 

receiving an authentication response from the identified authentication service T 
r e sponsive to receiving th e authentication r e quest at the broker service; and 

sending an authentication response from the broker service to the relying computing 
entity representing a trusted authentication of the identity of the user to the relying computing 
entity based on the first trust relationship and the second trust relationship. 

2. (Currently Amended) The method of claim 1 further comprising: sending the 
authentication request to the identified authentication service, responsive to receiving the 
authentication request at the broker service. 
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3. (Currently Amended) The method of claim 1 further comprising: collecting a 
credential of the user, responsive to receiving the authentication request at the broker service; 
and sending the credential to the identified authentication service for validation by the identified 
authentication service. 

4. (Original) The method of claim 1 wherein the credential cannot be interpreted by the 
broker service. 

5. (Currently Amended) The method of claim 1 wherein the broker service and the 
identified authentication service are hosted by a single computing system. 

6. (Currently Amended) The method of claim 1 wherein the broker service and the 
identified authentication services are hosted within a single computing entity. 

7. (Currently Amended) The method of claim 1 wherein authentication account 
information associated with the user and maintained by the identified authentication service is 
accessible through an interface to the identified authentication service. 

8. (Original) The method of claim 1 further comprising: validating based on the first trust 
relationship that the authentication request was received by the broker service from the relying 
computing entity. 

9. (Original) The method of claim 1 wherein other computing entities have trust 
relationships established with the broker service. 

10. (Original) The method of claim 1 wherein the first trust relationship represents an 
agreement between the broker service and the relying computing entity to comply with one or 
more brokered authentication rules. 

1 1 . (Original) The method of claim 1 wherein the first trust relationship represents an 
exchange of one or more security keys between the broker service and the relying computing 
entity. 
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12. (Original) The method of claim 1 wherein the first trust relationship represents an 
agreement by the relying computing entity to recognize assertions provided by the broker 
service. 

13. (Original) The method of claim 1 wherein the operation of receiving at a broker 
service an authentication request is responsive to an access request by the user for access to the 
relying computing entity. 

14. (Original) The method of claim 1 wherein the operation of receiving at a broker 
service an authentication request comprises: receiving the authentication request at the broker 
service as a redirected message through a computer system of the user. 

15. (Currently Amended) The method of claim 1 further comprising: validating a 
credential received from the user by the identified authentication service. 

16. (Original) The method of claim 1 further comprising: sending a challenge request to 
the user, responsive to the operation of receiving at a broker service an authentication request; 
and validating a credential received from the user in response to the challenge request. 

17. (Original) The method of claim 1 further comprising: returning a session ticket to the 
user to allow user access to the relying computing entity. 

18. (Currently Amended) The method of claim 1 further comprising: redirecting the user 
to the identified authentication service based on an identifier of the user. 

19. (Currently Amended) The method of claim 1 further comprising: translating the 
authentication response received from the identified authentication service into a protocol 
recognized by the relying computing entity. 

20. (Currently Amended) A compute r-readable medium encoding computer executable 
instructions encoding a method program product encoding a comput e r program for e x e cuting on 
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a computer system a computer process for authenticating an identity of a user seeking access to a 
relying computing entity, wherein the identity of the user is issued by an authentication service, 
the computing process comprising: 

receiving at a broker service an authentication request from the relying computing entity 
to authenticate the identity of the use r, wherein the authentication request does not include an 
identification of an authentication service; [[,]] 

identifying, by the broker service, an appropriate authentication service from among a 
plurality of authentication services, wherein: 

(a) a first trust relationship exists between the relying computing entity and the 
broker service; [[,]] and 

(b) a second trust relationship exists between the identified authentication service 
and the broker service; 

(c) no relevant trust relationship exists between the identified authentication 
service and the relying computing entity; and 

(d) identifying of the appropriate authentication service is based at least in part on 
determining that the second trust relationship exits; 

receiving an authentication response from the identified authentication service; and 
sending an authentication response from the broker service to the relying computing 
entity representing a trusted authentication of the identity of the user to the relying computing 
entity based on the first trust relationship and the second trust relationship. 

21 . (Currently Amended) The computer -readable medium program product of claim 20 
wherein the computer process further comprises: sending the authentication request to the 
identified authentication service, responsive to receiving the authentication request at the broker 
service. 

22. (Currently Amended) The computer -readable medium program product of claim 20 
wherein the computer process further comprises: collecting a credential of the user, responsive to 
receiving the authentication request at the broker service; and sending the credential to the 
identified authentication service for validation by the authentication service. 
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23. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the credential cannot be interpreted by the broker service. 

24. (Currently Amended) The computer -readable medium program product of claim 20 
wherein the broker service and the identified authentication service are hosted by a single 
computing system. 

25. (Currently Amended) The computer -readable medium program product of claim 20 
wherein the broker service and the identified authentication services are hosted within a single 
computing entity. 

26. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein authentication account information associated with the user and maintained by the 
identified authentication service is accessible through an interface to the authentication service. 

27. (Currently Amended) The computer -readable medium program product of claim 20 
wherein the computer process further comprises: validating based on the first trust relationship 
that the authentication request was received by the broker service from the relying computing 
entity. 

28. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein other computing entities have trust relationships established with the broker service. 

29. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the first trust relationship represents an agreement between the broker service and the 
relying computing entity to comply with one or more brokered authentication rules. 

30. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the first trust relationship represents an exchange of one or more security keys between 
the broker service and the relying computing entity. 
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3 1 . (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the first trust relationship represents an agreement by the relying computing entity to 
recognize assertions provided by the broker service. 

32. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the operation of receiving at a broker service an authentication request is responsive to 
an access request by the user for access to the relying computing entity. 

33. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the operation of receiving at a broker service an authentication request comprises: 
receiving the authentication request at the broker service as a redirected message through a 
computer system of the user. 

34. (Currently Amended) The computer -readable medium program product of claim 20 
wherein the computer process further comprises: validating a credential received from the user 
by the identified authentication service. 

35. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the computer process further comprises: sending a challenge request to the user, 
responsive to the operation of receiving at a broker service an authentication request; and 
validating a credential received from the user in response to the challenge request. 

36. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the computer process further comprises: returning a session ticket to the user to allow 
user access to the relying computing entity. 

37. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the computer process further comprises: redirecting the user to the identified 
authentication service based on an identifier of the user. 

38. (Currently Amended) The compute r-readable medium program product of claim 20 
wherein the computer process further comprises: translating the authentication response received 
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from the identified authentication service into a protocol recognized by the relying computing 
entity. 

39. (Currently Amended) A computer system for authenticating an identity of a user 
seeking access to a relying computing entity, wherein the identity of the user is issued by an 
authentication service, the computing system comprising: 

an authentication broker service having a first trust relationship with the relying 
computing entity and a second trust relationship with [[the]] an appropriate authentication 
service identified by the authentication broker service from among a plurality of authentication 
services, wherein the identifying of the appropriate authentication service is based at least in part 
on determining that the second trust relationship exists , the authentication broker service 
receiving an authentication request from the relying computing entity to authenticate the identity 
of the use r, wherein the authentication request does not include an identification of an 
authentication service, and receiving an authentication response from the appropriate 
authentication service, the authentication broker service further sending an authentication 
response to the relying computing entity representing a trusted authentication of the identity of 
the user to the relying computing entity based on the first trust relationship and the second trust 
relationship. 

40. (Currently Amended) A method of establishing a brokerable trust relationship 
between an authentication broker service and each of a plurality of computing entities, the 
method comprising: 

establishing one or more brokered authentication rules governing brokered authentication 
through the authentication broker service; 

obtaining an agreement from each computing entity to comply with the one or more 
brokered authentication rules; and configuring the authentication broker service to authenticate 
identities of one or more users for each computing entity in accordance with the one or more 
brokered authentication rules, wherein the one or more users have identities issued by one or 
more appropriate authentication services identified by the authentication broker service from a 
plurality of authentication services, the one or more appropriate authentication services having 
trust relationships with the authentication broker servic e, wherein identifying of the appropriate 
authentication service is based at least in part on determining that the trust relationship exists . 
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41. (Original) The method of claim 40 further comprising: exchanging one or more 
security keys between the authentication broker service and each of the computing entities. 

42. (Currently Amended) A computer -readable medium encoding computer executable 
instructions encoding a method program product encoding a comput e r program for o xocuting on 
a comput e r system a computer proc e ss for establishing a brokerable trust relationship between an 
authentication broker service and each of a plurality of computing entities, the computer process 
comprising: 

establishing one or more brokered authentication rules governing brokered authentication 
through the authentication broker service; 

obtaining an agreement from each computing entity to comply with the one or more 
brokered authentication rules; and configuring the authentication broker service to authenticate 
identities of one or more users for each computing entity in accordance with the one or more 
brokered authentication rules, wherein the one or more users have identities issued by one or 
more appropriate authentication services identified by the authentication broker service from a 
plurality of authentication services, the one or more appropriate authenti cation services having 
trust relationships with the authentication broker service , wherein identifying of the appropriate 
authentication service is based at least in part on determining that the trust relationship exists . . 

43. (Currently Amended) The compute r-readable medium program product of claim 42 
wherein the computer process further comprises: exchanging one or more security keys between 
the authentication broker service and each of the computing entities. 
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